Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. password policy

    For Cloud Only Accounts, the current Password Policy in Azure AD restricts the use of last used password ONLY. In my organization the general Password policy guideline is to prevent use of last 10 Passwords. This would be a great feature if this can be configurable. Would love to see this

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. NIST 800-63B Digital Identity Guidelines

    Please update the password requirements to match both those of NIST 800-63B Digital Identity Guidelines and those suggested by Microsoft https://www.microsoft.com/en-us/research/publication/password-guidance/.

    Also the ability to build a password blacklist.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    We’re well aware of the NIST 800-63B guidelines (and it’s my team that wrote that password whitepaper!). We’re currently making some foundational changes that should subsequently let us implement many or most of the password composition guidelines.

    As for a password blacklist, today we have a banned password list in place that prevents users from using known-bad words, phrases, and passwords. We also have a custom list feature that lets you define your own words and patterns. That’s in private preview today and we’re working to get it to public preview over the next few months.

  3. Expose all the attributes available for dynamic device groups.

    This would allow easy separation between internal managed devices and BYO devices. Attributes such as IsManaged or DirSyncEnabled are not available even when creating advanced rules.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Restrict Groups List on Claims Identity to Only Groups (not directory roles)

    Amend the http://schemas.microsoft.com/ws/2008/06/identity/claims/groups claim of the user identity so that it only includes groups, not directory roles as well. (Or add a further groupMembershipClaims value to the manifest to show "GroupsOnly" or similar, in addition to the current "All" | "SecurityGroup" | null option)

    Currently if a user is in either the Global Administrator or Limited Administrator role, the ID of this role appears in the list of groups as well. See details on StackOverflow here: https://stackoverflow.com/questions/45215615/phantom-group-membership-in-azure-ad

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. OAUTH integration

    For integration with OAuth2 several solutions were tried both at the mobile application level (React Native) and at the Backend level (Laravel).

    The problem we encounter with Laravel libraries is that they are focused on web application, where the process includes a redirect to the Microsoft page to make the entry. This as we are running from a server we would not have the way to make this redirect for the user. In Laravel we use Socialite that is of Laravel and OAuth 2 Client of PHP League. In the research process in Microsoft forums especially in this question (…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. have SAML AuthnRequest to include the username/email specified in Azure login forms

    when using any 3rd-party SAML IdP to federate Azure AD authentication, why don't you include the typed email(userID) from Azure portal into the SAML authnRequest so that forms-based IdPs can prefill the username to streamline and simplify authentication? the specs allow a <saml:Subject> being an optional part of the authnRequest.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Skipping account selection page in Azure AD v2 on consent

    Hello,
    We are using AD v2 implicit flow to authenticate a user from within SharePoint.
    The base url is: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?responsetype=idtoken&scope=<>&clientid=<>&redirecturi=<>&state=<>&nonce=<>&clientinfo=1&x-client-SKU=MSAL.JS&x-client-Ver=0.1.1&client-request-id=<>&responsemode=fragment

    Prompt consent in combination with domain hint for an organization does not seem to work correctly.
    Here are our observations with the following parameters:

    A. &amp;prompt=none&amp;domain_hint=organizations | Works correctly and uses the organisational account
    
    B. &amp;prompt=consent&amp;domain_hint=organizations | Does not work and restarts the user login process incl. re-entering email address
    C. &amp;prompt=consent | Works correctly and gives the user selection of logged-in accounts

    We would like if scenario B would work the same…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for filing this. I cannot reproduce this under any variety of circumstances. prompt=consent & domain_hint=organizations drops me on the account picker as expected.

    Please reach out if this still happens for you, and we’ll help debug the issue.

    Thanks,
    Azure Identity AuthN team.

  8. Support for OAuth 2.0 SAML Bearer Assertion Flow

    I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

    Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccessoauthSAMLbearerflow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

    I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the…

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

  9. Need option to export Win 10 Domain Joined Device Registration details with Owner names

    Right now we are not getting Owner details for Win 10 Domain Joined Registered Devices, value is showing as {} , If we get those details then it will be good for manage devices.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. My apps iOS app login

    Microsoft "My Apps" mobile app is great, but it is promoting use for authentication several times a day.

    I think Microsoft should update the app to use same sign in process as other apps - outlook, onedrive, planner, etc

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. password

    The current SSRPT does not give a 3rd option to enter a new password because its expired (90day policy) it currently provides 1. I have forgotten 2. I know my password but i cant login (unlock feature). This is language issue is causing a lot of confusion to our user.

    The site also needs to return a meaningful error msg when the user is unable to reset the password.. not a generic one like whats available today.

    Finally it will be handy to have listed when i last logged in successfully or failed attempt using my password..

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. OpenID Connect id_token is missing email claim

    The id_token issued by Microsoft's OpenID Connect provider (e.g. https://sts.windows.net/8a220739-24c6-4fe6-a02b-daebc641357c/) are missing the "email" claim even when I specifically request the "email" scope and my OpenID Connect client has "email" as a delegated permission. Am I missing something?

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. WHR Parameter: Make Azure AD recognise a tenant "SAML Entity ID" in whr

    The change I'm suggesting is to make AzureAD recognise a tenant's "SAML Entity ID" as a valid value for whr, in addition to the list of registered domains.

    Reason:
    When authenticating to a third party with AzureAD as the identity provider we provide them a SAML Entity ID of: https://sts.windows.net/{tenant-guid}/

    The third party is using AD FS. To avoid their home realm discovery page we can specify whr=https://sts.windows.net/{tenant-guid}/ in the URL we use.

    The third party then redirects back to https://login.microsoftonline.com/{tenant-guid}/wsfed?wa=wsignin1.0&wtrealm=....&whr=https://sts.windows.net/{tenant-guid}/

    The problem is our users who are already logged in to AzureAD are asked to start the login…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. REMOTE DESKTOP SERVICES Windows 2012 R2

    I would like to setup remote desktop services in Win2012R2 with MFA but authenticate to Azure AD, is this possible? I would like to avoid authenticating to on-prem domain controllers with S2S VPN. I have peering setup between RDS VNet and Azure AD vnet, please advise

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Azure AD Connect - SSO- Without redirecting to login page- SPO

    Whenever user is trying to open SPO deep link from IE favorite , its redirecting to login page. How we can login SPO without signin page/select email id.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. Provide ability if we want to use SP or IDP auth for apps in the marketplace

    I'd like the ability to pick what form of auth is used for apps I install from the marketplace. For example, if I install the Salesforce app it only allows setup for SP. In order to use IDP I have to create a non-gallery app.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make Microsoft Account authentication great again

    https://apps.dev.microsoft.com seems broken... I cannot create an app (getting : There's a temporary problem with the service. Please try again. If you continue to get this message, try again later) 3 days now

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enable Organizational Account

    Enable Organizational Account checkbox in VS publishing profile:
    this checkbox is checked by default when publishing a AAD App Service to Azure.
    However when checked, it will create a NEW App Registration in AAD.
    This can lead to your API returning 401, in the scenario where a AAD App Registration was previously created and configured, then it will be ignored in favor of the one created by VS.
    Also, in my specific case, the new App Registration was not visible in the AAD Tenant Applications list, so it took a month of Azure support and several hours on the phone…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow HTTP Redirect URIs from private address spaces as well as localhost

    localhost is currently the only host allowed for non-SSL Redirect URIs in OAuth2 authentications. This prevents HTTP development testing among various computers within an organization, since any "localhost" setting in a Windows 10 hosts file is ignored.

    I therefore suggest that hosts for HTTP Redirect URIs be also allowed to be a non-public IP address: 192.168.x.x or 10.x.x.x.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. buffer app sign on is no longer working

    I have added and configured bufferapp in my Azure AD applications tab. Configured it correctly - however the sign on never happens when the end user clicks on the app. Just the main home page of buffer.com is shown.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base